I have noticed a decent amount of homelabbers here on the fediverse and elsewhere on the internet using pfSense as their firewall/router. Personally, I use VYOS so I figured I might as well talk about why I use VYOS over pfSense.
Why not pfSense
There a few reasons I prefer not to use pfSense. Most are small gripes I personally have but there are a few big ones as well.
- There have been accusations that pfSense isn’t open source.
While I have not personally verified these claims there are quite a few people who claim this is true. Here is a Github repo with more information. In short, it is impossible to actually build from source, and pointing that out gets you banned from pfSense forums.
- The devs are dicks
In 2017 the developers of pfSense bought the domain opnsense.com in order to bad mouth OPNsense. OPNsense is a fork of pfSense meant to address issues with pfSense, while they use opnsense.org it is understandable why people may click on the .com domain. Included on this site was a bunch of false claims insulting the OPNsense project and it’s developers, including a clip from the movie Downfall comparing the OPNsense devs to nazis. For the full site here is the Web Archive link. Make of it what you will.
- Web UI is run as root
I hope I don’t have to explain why running a php based website as the root user is a bad idea. Seriously, don’t do it.
Personally I don’t use OPNSense because I prefer not to use a web UI to manage my firewall. Additionally, I prefer a Linux based OS over *BSD as I am more familiar with Linux. However for those who may still want a web UI but not to use pfSense it is a good option.
- Linux based OS
I just really like Linux and I appreciate having a familiar environment to work with. Not saying *BSD OSes are bad but I just don’t know them that well. It also has good support for ProxMox which is the hypervisor I use.
- CLI configuration
I love the command line so being able to do everything via CLI is always a plus for me. By forsaking a web UI they can focus on making the CLI experience good, and it is. While it can be a bit of a hurdle to first learn the rule creation, once you get it down it can go quick. And CLI means script based automation.
- Low resource usage
VYOS only requires 1 CPU core, 512 MiB of RAM, and 2 GiB of storage to run. Of course giving it more helps with performance, especially if it’s being used for BGP. But for most people being able to run an OS on the specs for the original raspberry pi is pretty sweet.
- Rolling and LTS
VYOS has both a rolling and LTS release. Now the LTS is typically a paid product, but since it is open source you can just build it from source. Gotta love it when that actually works. Or you can go rolling and get all the latest developments at expense of some possible bugs.
VYOS for sure isn’t everyone’s thing, especially if they don’t like the command line. But, I hope that people consider better alternatives to pfSense like OPNsense.